Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Contributing Questions for Actual Communication Tests

SUMMARY The actual communication tests for assets include contributing questions and parameters that you choose when you create a Policy Monitor test.

When you apply the have not condition to a test, the not condition is associated with the parameter that you are testing.

For example, if you configure a test as have not accepted communication to destination networks, then the test detects assets that have accepted communications to networks other than the configured network. Another example is if you configure a test as have not accepted communication to the Internet. Then, the test detects assets that have accepted communications from or to areas other than the Internet.

The following table lists and describes the contributing question parameters for actual communication tests.

Table 1: Contributing Question Parameters for Actual Communication Tests
Test Name Description
have accepted communication to any destination

Detects assets that have communications to any or from any configured network.

Run this test to define a start or end point to your question.

For example, to identify the assets that accepted communication from the DMZ, configure the test as follows:

have accepted communication from any source

You can use this test to detect out-of-policy communications.

have accepted communication to destination networks

Detects assets that have communications to or from the networks that you specify.

Run this test to define a start or end point to your question.

For example, to identify the assets that communicated to the DMZ, configure the test as follows:

have accepted communication from source <networks>

You can use this test to detect out-of-policy communications.

have accepted communication to destination IP addresses

Detects assets that have communications to or from the IP address that you specify.

Run this test to specify IP or CIDR address.

For example, if you want to identify all assets that communicated to a specific compliance server, configure the test as follows:

have accepted communications to destination <compliance server IP address>

have accepted communication to destination asset building blocks

Detects assets that have communications to or from the asset building blocks that you specify. Run this test to reuse building blocks defined in the JSA Rules Wizard in your query.

For more information about rules, assets, and building blocks, see the Juniper Secure Analytics Administration Guide.

have accepted communication to destination asset saved searches

Detects assets that have communications to or from the assets that are returned by the saved search that you specify.

For more information about creating and saving an asset search, see the Juniper Secure Analytics Users Guide.

have accepted communication to destination reference sets

Detects assets that communicated to or from the defined reference sets.

have accepted communication to destination remote network locations

Detects assets that communicated with networks defined as a remote network.

For example, this test can identify hosts that communicated to botnets or other suspicious Internet address space.

have accepted communication to destination geographic network locations

Detects assets that communicated with networks defined as geographic networks.

For example, this test can detect assets that attempted communications with countries in which you do not have business operations.

have accepted communication to the Internet

Detects source or destination communications to or from the Internet.

are susceptible to one of the following vulnerabilities

Detects specific vulnerabilities.

If you want to detect vulnerabilities of a particular type, use the test, are susceptible to vulnerabilities with one of the following classifications.

You can search for vulnerabilities by using the OSVDB ID, CVE ID, Bugtraq ID, or title.

are susceptible to vulnerabilities with one of the following classifications

A vulnerability can be associated with one or more vulnerability classifications. This test filters all assets that include vulnerabilities with the specified classifications.

Configure the classifications parameter to identify the vulnerability classifications that you want this test to apply.

For example, a vulnerability classification might be Input Manipulation or Denial of Service.

are susceptible to vulnerabilities with CVSS score greater than 5

A Common Vulnerability Scoring System (CVSS) value is an industry standard for assessing the severity of vulnerabilities. CVSS is composed of three metric groups: Base, Temporal, and Environmental. These metrics allow CVSS to define and communicate the fundamental characteristics of a vulnerability.

This test filters assets in your network that include vulnerabilities with the CVSS score that you specify.

are susceptible to vulnerabilities disclosed after specified date

Detects assets in your network with a vulnerability that is disclosed after, before, or on the configured date.

are susceptible to vulnerabilities on one of the following ports

Detects assets in your network with a vulnerability that is associated with the configured ports.

Configure the ports parameter to identify ports you want this test to consider.

are susceptible to vulnerabilities where the name, vendor, version, or service contains one of the following text entries

Detects assets in your network with a vulnerability that matches the asset name, vendor, version, or service based one or more text entries.

Configure the text entries parameter to identify the asset name, vendor, version, or service you want this test to consider.

are susceptible to vulnerabilities where the name, vendor, version, or service contains one of the following regular expressions

Detects assets in your network with a vulnerability that matches the asset name, vendor, version, or service based one or more regular expressions.

Configure the regular expressions parameter to identify the asset name, vendor, version, or service you want this test to consider.

are susceptible to vulnerabilities contained in vulnerability saved searches Detects risks that are associated with saved searches that are created in JSA Vulnerability Manager.

Deprecated Contributing Test Questions

Contributing questions that are replaced by another test are hidden in Policy Monitor.

The following tests are hidden in the Policy Monitor:

  • assets that are susceptible to vulnerabilities
  • assets that are susceptible to vulnerabilities from the following services

These contributing tests are replaced by other tests.